iFrames were the distribution mechanism
used to create a large population machines infected by the
form-grabbing malware variant dubbed Gozi. In fact,
they’ve become a popular way to dump many varieties of
malware onto unsuspecting web surfers.

iFrames are a browser
feature that allows websites to deliver content from a remote
website within a frame on a page. Think of stock quotes
originating from one site streamed into a small box on another
site.

Criminal hackers exploit this feature by building iFrames
into pages that are one pixel by one pixel—invisible to
the user. Inside that iFrame they can stash executable code
stored at another site. Usually, the stash it’s a tiny
piece of software called a downloader.

A downloader is a single
redirect instruction. When a PC visits the iFramed website,
the downloader is delivered from inside the invisible iFrame
and it tells the browser to visit to some other IP address. Its
job is done.

Usually this address contains another downloader,
which repeats the process. For obfuscation purposes, this may
happen several times before one of the downloaders finally
points to a server containing malware. The malware is delivered
through the iFrame onto the PC. This is how Gozi got on
machines.

Don Jackson, the researcher at SecureWorks who
discovered Gozi, knew this from the beginning of his research
on the point-and-click identity theft site called 76service. 76
and Exoric, the hackers who operated 76service, contracted out
for their iFrames.

iFrames are so effective and easy to
implement that an entirely new business has emerged around
them. Trolling a discussion board, Jackson found out that
76service contracted with a group called iFramebiz.com.

They are believed to be one of the
first and most important iFraming groups. Their business model
is simple and familiar. They pay for clickthroughs. If you
agree to host their iFrame code on your website, you receive a
payout every Monday by PayPal, e-Gold, Western Union or other
method. Base rates ranged from €5 a week in China,
€10 in Asia and €40 for “Other world.”
Payment is contingent on a minimum of 1,000 clickthroughs. (If
you don’t have your own malware to deliver through the
iFrames, they’ll sell you EXEs as well).

A few Euros a
week doesn’t sound like much money, but most iFramebiz
customers control tens or hundreds of domains, some active,
some languishing. Say you owned 100 domains. You could drop the
3kb of iFrame code on all of those sites and make 500 to 4,000
euros just for letting it live there. Seeing the opportunity,
some entrepreneurs are buying up domains just to host the
iFrame code and then hustle to direct traffic to their sites.
The iFramers also inject their iFrames into legitimate websites that have vulnerabilities which allow it to happen.

Then, with a portfolio of infected sites they turn around and
sell access to their network. At the time of Jackson’s
research, the going rate was one dollar per infection. No one
knows how many infected sites 76service paid for. Font.com was
one site that accounted for many Gozi infections, likely chosen
because of its broadness and the likelihood that unsavvy users
would type in that URL if they were looking for fonts.
Alchemylab.com was another, according to Jackson. (Both have
been cleaned up since).

Jackson and the anonymous researcher
believe 76service may have paid a premium for an enhanced
service—exclusive access to and management of the iFramed
pages. That allowed 76 and Exoric to easily move their site
around (as the good guys had forced them to) without having to
constantly ask the iFramers to reconfigure the iFrames to point
to new IP addresses where downloaders and malware had been
moved to. It’s something like if you owned a convenience
store and you moved it every so often, and you could pay for
the right to set up your own detours to redirect traffic to
your store’s new location.

Someone looking to deposit
malware like Gozi on machines has few better options than
iFrames, because of their ability to intervene without the
user’s help. In a short amount of time, iFrames have
become the malware distribution method of choice. Graham
Clueley of the anti-virus vendor Sophos says his
company’s research shows 8,000 new webpages per day, a
quarter-million pages per month, hosting illicit code or
activity, most of which he says, are iFrame exploits. Of those,
Clueley says, 70 percent are found on legitimate websites.

iFrames have other advantages, too. Separating the distribution
network from the malware, making it a service in itself, speeds
up redeployment, because once a site hosts an iFrame, it
remains available for distribution of any variant or new piece
of malware.